The Ultimate Guide to ISO 27001 Clause 6.1.1: Planning General

What is ISO 27001 Clause 6.1.1?

ISO 27001 Clause 6.1.1 comes under ISO 27001 Clause 6 and relates directly to planning. It is a relatively easy clause to satisfy with ISO 27001 templates. To implement ISO 27001 and go for ISO 27001 certification means that you must satisfy this requirement.

What are the ISO 27001:2022 Changes to Clause 6.1.1?

Brace yourself. The massive update was to remove the word ‘and’ from 6.1.1 b.

Requirement

This clause is about planning and you have to demonstrate a couple of things.

You will demonstrate, show and evidence that when you planned your information security management system that you took into account the issues in ISO 27001 Clause 4.1 Understanding the organisation and its context and the requirements that you identified in ISO 27001 Clause 4.2 Understanding the needs and expectations of interested parties.

In addition you are going to work out the risks and opportunities that will address the following points

• that your information security management system can achieve its intended outcome(s)
• that you can prevent, or reduce, undesired effects
• that we can achieve continual improvement

You are going to plan, document and evidence

• actions to address these risks and opportunities
• how to integrate and implement these actions into your information security management system processes
• how to evaluate the effectiveness of these actions

Definition

ISO 27001 defines ISO 27001 clause 6.1.1 as:

When planning for the information security management system, the organisation shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

a) ensure the information security management system can achieve its intended outcome(s);

b) prevent, or reduce, undesired effects

c) achieve continual improvement.

The organisation shall plan:

d) actions to address these risks and opportunities; and

e) how to

1) integrate and implement these actions into its information security management system processes; and

2) evaluate the effectiveness of these actions.

ISO 27001:2022 Clause 6.1.1 Planning General

How to implement ISO 27001 clause 6.1.1

There are a number of ways to meet the requirements of the ISO 27001 clause when going for ISO 27001 certification but an effective fast track is the use of ISO 27001 templates. The following ISO 27001 templates documents will meet the demands of ISO 27001 clause 6.1.1.

Implement Risk Management Policy

You will implement a Risk Management Policy that sets out your approach to risk management.

Implement Risk Process

You will implement your Risk Management Process that sets out how you manage risk.

Implement Risk Register

You will implement the Risk Register to capture, manages and reports risks. These are reported to and overseen by the Management Review Team. 

Implement Continual Improvement Policy

Risk Management is part of the continual improvement and you will implement your Continual Improvement Policy

ISO 27001 Clause 6.1.1 Implementation Checklist

Planning General ISO 27001 Clause 6.1.1 Implementation Checklist:

1. Identify Information Security Risks

Determine potential threats and vulnerabilities that could impact the confidentiality, integrity, and availability of information.

Challenge: Difficulty in comprehensively identifying all potential risks, especially emerging ones. Lack of expertise in risk assessment methodologies.

Solution: Utilise a structured risk assessment methodology (e.g., ISO 31000), involve diverse interested parties (IT, legal, business units), and conduct regular threat intelligence reviews. Consider using automated risk assessment tools.

2. Identify Information Security Opportunities

Explore potential improvements to the ISMS, such as new technologies, process enhancements, or training programs.

Challenge: Overlooking opportunities due to a focus on risks. Difficulty in quantifying the benefits of opportunities.

Solution: Actively seek opportunities through brainstorming sessions, industry research, and feedback from employees and customers. Develop clear criteria for evaluating the potential value of opportunities.

3. Analyse Risks

Evaluate the likelihood and impact of identified risks to prioritise them.

Challenge: Subjectivity in risk assessment. Lack of reliable data for estimating likelihood and impact.

Solution: Use a consistent risk assessment scale and criteria. Gather historical data and expert opinions to support estimations. Document the rationale behind risk ratings.

4. Analyse Opportunities

Assess the potential benefits and feasibility of identified opportunities.

Challenge: Difficulty in comparing opportunities with different types of benefits (e.g., cost savings vs. improved security).

Solution: Develop a framework for evaluating opportunities based on factors like cost, effort, impact on security, and alignment with business objectives.

5. Determine Risk Treatment Options

Select appropriate actions to mitigate or manage risks, such as avoidance, transfer, mitigation, or acceptance.

Challenge: Choosing the most cost-effective and appropriate treatment option. Difficulty in implementing complex mitigation measures.

Solution: Conduct a cost-benefit analysis for each treatment option. Prioritise treatments based on risk level and feasibility. Develop detailed implementation plans for chosen treatments.

6. Determine Opportunity Implementation Plans

Define how identified opportunities will be realised, including resources, timelines, and responsibilities.

Challenge: Difficulty in securing resources for implementing opportunities. Lack of clear ownership and accountability.

Solution: Develop a project plan for each opportunity, including clear objectives, tasks, timelines, and resource allocation. Assign responsibilities and establish clear communication channels.

7. Establish Objectives for Risk Treatment and Opportunity Implementation

Define specific, measurable, achievable, relevant, and time-bound (SMART) objectives for risk reduction and opportunity realisation.

Challenge: Setting unrealistic or unmeasurable objectives. Difficulty in tracking progress towards objectives.

Solution: Involve interested parties in setting objectives. Define clear metrics for measuring progress. Regularly monitor and report on progress.

8. Develop a Risk Treatment Plan

Document the chosen risk treatment options, implementation details, responsible parties, and timelines.

Challenge: Difficulty in maintaining and updating the risk treatment plan. Lack of integration with other ISMS processes.

Solution: Use a centralised risk register or management system to document and track risk treatments. Regularly review and update the plan as needed. Integrate the plan with other ISMS processes, such as incident management and change management.

9. Develop an Opportunity Implementation Plan

Document the chosen opportunities, implementation details, responsible parties, and timelines.

Challenge: Similar to risk treatment plans, keeping the opportunity implementation plan up-to-date and integrated can be challenging.

Solution: Mirror the solutions for risk treatment plans: use centralised systems, regular reviews, and integration with other ISMS processes.

10. Communicate

Communicate risk and opportunity information to relevant interested parties and seek their input.

Challenge: Difficulty in communicating complex technical information to non-technical audiences. Lack of interested parties engagement.

Solution: Tailor communication to the audience. Use visual aids and plain language. Actively solicit feedback and involve interested parties in decision-making. Establish regular communication channels.

ISO 27001 Clause 6.1.1 Audit Checklist

How to audit ISO 27001 Clause 6.1.1 Planning General:

1. Review the Risk Assessment Methodology

Verify the existence and appropriateness of a documented risk assessment methodology.

• Document review (policies, procedures)
• interviews with risk management personnel
• comparison against ISO 31000 principles
• observation of a risk assessment in progress

2. Examine Risk Registers and Documentation

Inspect the risk register for completeness, accuracy, and evidence of risk analysis (likelihood and impact).

• Document review (risk register, risk assessment reports)
• data analysis (trends in risk levels)
• sampling of risk entries for detailed review
• interviews with risk owners

3. Evaluate the Identification of Opportunities

Confirm the process for identifying opportunities for ISMS improvement.

• Interviews with management and staff
• analysis of improvement logs and project proposals
• review of strategic planning documents

4. Assess the Risk Treatment Process

Verify the defined process for selecting and implementing risk treatment options.

• Document review (policies, procedures)
• interviews with risk management personnel
• review of risk treatment decisions and their rationale
• walkthrough of a risk treatment selection process

5. Evaluate Opportunity Implementation Plans

Review plans for implementing identified opportunities.

• Document review (project plans, implementation schedules)
• interviews with project managers
• review of resource allocation documentation
• observation of opportunity implementation activities

6. Verify the Establishment of Objectives

Confirm the existence of SMART objectives for risk treatment and opportunity implementation.

• Document review (ISMS objectives, risk treatment plans)
• interviews with management
• analysis of performance metrics and reports
• review of strategic plans

7. Examine Risk Treatment and Opportunity Implementation Plans

Inspect documented plans for details on chosen options, implementation steps, responsibilities, and timelines.

• Document review (risk treatment plans, project plans)
• walkthrough of an implementation plan
• interviews with responsible parties
• review of change management records

8. Review Evidence of Implementation

Gather evidence of implemented risk treatments and opportunity implementation plans.

• Document review (policies, procedures, training records, system configurations, test results)
• observation of processes
• interviews with staff
• penetration testing (for technical controls)

9. Evaluate Communication and Consultation

Check processes for communicating risk and opportunity information to stakeholders.

• Interviews with stakeholders
• review of communication logs and meeting minutes
• analysis of communication effectiveness surveys
• review of stakeholder feedback mechanisms

10. Assess the Effectiveness of Actions

Evaluate the effectiveness of implemented actions in achieving objectives.

• Analysis of performance data (e.g., incident rates, vulnerability scan results)
• review of management review outputs
• interviews with management and staff
• benchmarking against industry best practices

How to comply with ISO 27001 Clause 6.1.1 Planning

Watch the Video

For a complete visual guide to this process, check out our video tutorial: How to implement ISO 27001 Clause 6.1.1